We’re starting to think Amex doesn’t take this whole “data security” thing very seriously. First they confused a customer, and us, a few months ago with their random confirmation phone call, where they demanded a customer turn over bank account information over the phone without giving him a way to verify they were really Amex. Now a reader says the company has “for years” been sending him someone else’s account info via email, including the customer’s name and the last 5 digits of his account number. J.R. writes, “Seriously, I’ve seen better security on a video game forum.”

For years, American Express has flooded my inbox with emails intended for one of their customers (who gave them my address by mistake).

These emails contain sensitive data, including the customer’s name *and last five digits of his account*.

Get this: American Express doesn’t send out email verification letters!

I could tell you the whole sad, scary, hilarious story if you want me to, including the bit where the superior of a superior I finally talked to told me flat out that, “American Express does not email its customers the last five digits of their account,” and then sat in awkward silence as I *quoted him back his own company’s email*.

I just wanted you to know that customers of American Express may have their sensitive data compromised, and that AmEx makes this damn near impossible to report a case like this and then does absolutely nothing about it.

Comments

Edit Your Comment

Wow, that’s a pretty big security issue. Chances are they don’t have a set way to handle that. If you can’t get the CSR to action the issue request a supervisor. They will know how to work around a process that doesn’t exist.

Amex put that little chip in my blue card, which is insecure, so I called up customer service, who literally laughed at me when i informed them of the insecurity of the said chip. I said I wanted a card that didn’t have a chip, they claimed they didn’t make one any more. however, I found an article that said Amex execs agreed to send out a non-chip card to anyone who requested it. Of course, the CSR (what a surprise) had never heard of that agreement.

According to them, they can “disable” the chip remotely. Makes me feel so much better.

@sanjsrik: The chip is an RFID chip that cannot be disabled remotely. They might be able to stop it from being used, but your info is still broadcasting from that chip. Call the Card Replacement Unit (800-922-3404) and ask the rep to send a card without the chip. It is possible, but rarely is it asked for. Ask for an account manager if they don’t know what your talking about.

Either that, or go at it with a nail and hammer! That’ll do the trick! ;)

@sanjsrik:What security issues are there with the Amex chip? I’ve never dealt with the Amex cards themselves but work with smartcards and if it was just a contact chip, presumably requiring a pin, it should have been rather secure (Moreso than a credit card number alone).

That is unless you are talking about the newer contactless (RFID) chips. Those do have legitimate security issues.

@sanjsrik: They don’t do the non-chipped cards anymore, but they will “disable” the chip — the chip has a different number (or code or whatever) than the card and if someone tries to use the chip number, it’ll be flagged as fraud.

@sanjsrik: My cards that came with RFIDs in them all got the hole-punch treatment. On rare occasion, a cashier will ask about the hole, then I tell them about how insecure the chips are, and they go and do it to their cards!

While I’m not sure I’d be too worried about my name and 5 digits, it is still weird. Definitely matches the twilight-zone meter with the random security calls mentioned earlier.

Doesn’t this all come down to the fact that the banks don’t have to care, so they don’t? I mean, they obviously see their adversarial relationship with customers as good business. So without the “assistance” of ground rules, why would we expect them to improve?

I wouldn’t worry about the last 5 digits either. I’m not making excuses for amex, but 4 of those last five digits aren’t part of the “real” account number. They indicate whether it’s a replacement card, and a primary or supplemental card. The last one is a check digit. All this according to a thread on flyertalk.

@HiPwr: You probably should. Since I have had AMEX for about a year, with a relatively “low” limit; never a late payment…and they randomly closed my account a couple of months ago based on a 30-day notice from a store credit card from three years ago–which was obviously on my credit report when they originally issued me the AMEX card to begin with–and which has nothing to do with AMEX in any way, shape or form…

It makes me furious that AMEX feels as if it can play around with people’s credit ratings like that. Oh, and the response when I said that this was going to affect my rating? The CSR had the balls to tell me that “oh, no, it won’t affect your rating because AMEX closed your account.” I have one word for that– BULLSHIT.

Why don’t more people wonder why AMEX can suddenly afford to pay back the TARP loan when they were in such “dire straits” in 2008? I can see it now–“Oh wait–no bonuses? Let’s screw up some nobody’s chance at getting a mortgage, why don’t we?”

You can’t really do much with someone’s name and the last 5 digits of a card number. Security isn’t an issue here, the unsolicited e-mails should be the only problem.

Call them up and ask to be transferred to online services. Those folks may be able to get the e-mails to stop. Otherwise, just mark them as spam and delete them.

As far as getting a phone call from someone claiming to be American Express, just tell the person that you don’t feel comfortable since they called you, and ask for the name of their department. Call the number on the back of your card and ask for that department.

This also reminds me of one of my ex-coworkers receiving someone else’s freq flyer envelopes. He called the airline to tell them they have the wrong address, and they told him they can’t change the info or stop mailing unless the customer himself requests it, for privacy reasons…. even though to continue sending it is more of a privacy breach.

@macinjosh: Most companies, including American Express have a feature to stop mailing stuff to an address on an account that gets mail returned.

So if you’re getting someone elses mail, do not open it and try to call the company and tell them to stop.Just return to sender any mail that’s not yours, the company will notice that person’s address it wrong and it’ll stop all mailings for good.

I accept credit cards in an industry (Web hosting) at high risk for fraud, and had a high chargeback rate a few years ago before I got better at screening orders. AmEx sent me chargebacks all the time that were intended for other merchants, or had a whole bunch of cardholders’ sensitive information attached as documentation when it wasn’t needed. Once I caught onto patterns of fraud, I tried calling them to report suspicious orders; 80% of the time, they’d refuse to check with the cardholder or even verify that the cardholder phone number I had was correct.

AmEx’s policies are very buyer-friendly, but they’re a nightmare for merchants and their bad data handling hurts everyone.

One thing I have noticed over the years I have been with Amex… when I am issued a new card, only the last five digits are changed. I have had personal and business cards with them… all all of them, the last five. To me I think it would be pretty easy to use those last five digits in the email for bad use.

Amex are absolute idiots and have horrible customer service. I’ve lived at this address for 5 years and they STILL send mail here for the previous house owner. I’ve called them at least once every two months to tell them he doesn’t live here, as well as Return to Sender on each and every piece of mail, and they still don’t get it.

@scoosdad: Or send a letter requesting a new card in that name (using all of your correct info) and see if they issue it. Publish AMEX’s stupidity on the internet if they do issue a replacement card in that other person’s name to you at your address.

A discount broker I worked for would have customer apps with signature, socials, etc faxed to a Tae Kwon Do studio as their fax number was one digit off of another branches fax number. Made the trip over there a couple times. I always laugh when people go on about cyber security when it is faxes that are the most ridiculously insecure forms of communications out there.

Plus, a dry cleaner accidentally gave out on of our phone number as theirs in their ads etc due to a couple inverted digits and we got numerous calls etc from their back office including ones giving us the “heads up” about surprise audits and inspections. Took them a good year before the calls finally quit coming in.

My parents home shared a close number to a local restaurant and they ended getting compped a meal a month due to the issue. They even ended up advertising the restaurant on their answering machine message when the message gave out the correct number.

Sounds silly, but I’d suggest an EECB with a CC to a few news tiplines. CSRs may not know anything that’s happening, even a “superior of a superior.” They’re often in separate, disconnected departments in the company, and we all know the problems with outsourcing. Get somebody who can take action in the know, and pepper on a little public disgrace.

I have been getting emails for years for someone else’s Wells Fargo account. At one point I even had his name. I have called Wells Fargo several times but they don’t seem to give a damn. This guy seems to be a deadbeat since his account is almost always overdrawn but the latest missive said they just sent him a new debit card so I guess WFB is making money on all the penalties and fees.

i keep getting what are apparently report cards and status-reports on someone some school seems to think is my daughter (i have NO biological offspring – that i’m aware of).

i use to write them that she isn’t mine…and i don’t need to know how she’s doing in her studies.
Now…i remind them to pile-on the organic chemistry, trig and classes in Mandarin. She LOVES the challenge!!

I have the same first initial and last name as my Mom. We both have a Costco Amex, but they are separate accounts, at different addresses, with different phone numbers. Amex has now called me about 10 times regarding a problem with an purchase she made (she typed in the wrong verification code). I’ve told them about 10 times exactly what the problem is, what her correct info is etc. And yet, they keep calling. I suppose it’s lucky in that they’re only calling me, but I shudder to think about how poor their CSR tracking must be, since all that we share in common, as far as Amex knows, it a first initial and last name. Can’t imagine what might be happening to the John Smiths of the world.